Configuring YARN with Kerberos
Provides instructions on how to configure YARN to run with Kerberos on every node in the cluster.
-
Enabling Wire-level Security by executing
configure.sh
with the security options. - Configuring Kerberos by creating a Kerberos principle and keytab file.
Now complete the following tasks.
Configure the yarn-site.xml File
Add the following properties to the yarn-site.xml
file on every node in
the cluster.
/opt/mapr/hadoop/hadoop-<version>/etc/hadoop/yarn-site.xml
/opt/mapr/conf/mapr.keytab
for the
keytab
property and mapr
instead of
yarn
for the principal
property.<!-- ResourceManager security configs -->
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the YARN keytab -->
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>mapr/_HOST@YOUR-REALM.COM</value>
</property>
<!-- NodeManager security configs -->
<property>
<name>yarn.nodemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the YARN keytab -->
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>mapr/_HOST@YOUR-REALM.COM</value>
</property>
<property>
<name>yarn.nodemanager.container-executor.class</name>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
<name>yarn.nodemanager.linux-container-executor.group</name>
<value>mapr</value>
</property>
Configure the mapred-site.xml File
Add the following properties to the mapred-site.xml
file on every node in
the cluster.
/opt/mapr/hadoop/hadoop-2.7.0/etc/hadoop/mapred-site.xml
Note that you need to use /opt/mapr/conf/mapr.keytab
for the
keytab
property and mapr
instead of
yarn
for the principal
property.
<!-- MapReduce Job History Server security configs -->
<property>
<name>mapreduce.jobhistory.address>/name>
<value>host:port>/value> <!-- Host and port of the MapReduce Job History Server; default port is 10020 -->
</property>
<property>
<name>mapreduce.jobhistory.keytab>/name>
<value>/opt/mapr/conf/mapr.keytab>/value> <!-- path to the YARN keytab -->
</property>
<property>
<name>mapreduce.jobhistory.principal>/name>
<value>mapr/_HOST@YOUR-REALM.COM>/value>
</property>
Modifying the env.sh File
The env.sh
file contains a setting for MapR login options that defaults to
the value maprsasl
. Change this value to hybrid
, which
applies to Kerberos and other security protocols.
The new line (after the change) should look like this:
MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"
Restart ResourceManager, NodeManager, and JobHistoryServer
maprcli node services
command (with the name
option) or
the MCS. After restarting the services, make sure you can run simple Hadoop jobs by
running:hadoop jar /opt/mapr/hadoop/hadoop-<version>/share/hadoop/mapreduce/hadoop-mapreduce-examples-<version>.jar pi